Microsoft has released MS12-063 to address vulnerabilities affecting Internet Explorer versions 6, 7, 8, and 9. The most severe of the vulnerabilities was found able to allow arbitrary code execution when exploited. It was the said vulnerability which was earlier reported being used in attacks and leading to remote access tools (RAT). Here’s an in-depth analysis of one of the vulnerabilities:

The use-after-free vulnerability arises when a deleted object is referenced. For instance, by calling function document.write() to replace the whole page, while an event queued through execCommand method is still pending. When the execCommand method is called, CmshtmlEd object is created. However, when the object is deleted, Internet Explorer releases the CmshtmlEd object. Later, mshtml!CMshtmlEd::Exec() tries to access the released CmshtmlEd object, without verifying if it is still valid, leading to use-after-free vulnerability.

In the samples we’ve seen, the execCommand is invoked with action “selectAll”. At the same time, the body has another action triggered on selection. This action replaces the whole page with some text, forcing IE to free body objects. After the objects have been deleted, execComamnd will try to use those objects, leading to the vulnerability. A flash object is used to spray the heap with controlled data to alter the execution flow.

Zero-day Exploit in the Wild

The exploit for the above-mentioned vulnerability, detected by Trend Micro as HTML_EXPDROP.II, was seen used in several attacks. In one instance, the exploit was found loading SWF_DROPPR.II, which in turn downloads a PoisonIvy variant detected as BKDR_POISON.BMN. The second attack spotted leads to TROJ_PLUGX.ME, which executes malicious files on the infected systems. This malware is a variant of PlugX remote access tool (RAT) recently blogged here.

There seems to be no stopping attackers from targeting this vulnerability, as we saw more attacks leveraging this software bug. In particular, several compromised websites were found hosting exploits aimed at this vulnerability. Users who visit these sites are served with the exploit, which ultimately lead users to download PlugX variants onto their computers.

Below are some of these compromised sites and attacks.

Compromised Site

Exploit

Malicious .SWF File Component

Payload

everich2.{BLOCKED}ft.tw.rar

HTML_EKSPLOYT.AE, HTML_EXPDROP.II

SWF_DROPPR.II

BKDR_PLUGX.AQ

get.{BLOCKED}ks.com.rar

HTML_EXPDROP.II

SWF_DROPPR.II

BKDR_PLUGX.AR

www.{BLOCKED}enews.in.rar

HTML_EKSPLOYT.AE, HTML_EXPDROP.II

SWF_DROPPR.II

BKDR_PLUGX.AP

www.{BLOCKED}in.com.tw.rar

HTML_EKSPLOYT.AE, HTML_EXPDROP.II

SWF_DROPPR.II

BKDR_PLUGX.AQ

www.{BLOCKED}gameshow.com

HTML_EXPDROP.SMA, HTML_EXPDROP.SMB

SWF_DROPPR.II

BKDR_PLUGX.AT

With these developments, it is imperative for users and IT administrators to update their systems with the security patch released by Microsoft. Trend Micro users need not worry as they are protected from these threats.

Share this article

This entry was posted
on
Friday, September 21st, 2012
at
3:20 pm and is filed under
Vulnerabilities .
Both comments and pings are currently closed.